A service gateway maintains forwarding components operative to forward data packets within corresponding vpns, and also maintains subscriber sessions for subscribers via respective subscriber interfaces. The association between the subscribers and the forwarding components is independent of the subscriber interfaces, such that the subscribers reachable via a given interface are associable with any forwarding component. Upon detecting an appropriate event, such as a service selection action, the service gateway modifies the forwarding components of first and second vpns to reflect that the subscriber session is active in the second vpn and is not active in the first vpn. The service gateway also effects a change of a network address that identifies the corresponding subscriber from a first network address defined in the first vpn to a second network address defined in the second vpn. mechanisms for effecting such a change of network address include dhcp, IPCP, RADIUS, and NAT. The service gateway employs control policies to govern the transfer of subscribers among vpns.
|
1. A method of operating a service gateway, comprising:
maintaining a plurality of forwarding components, each forwarding component being operative to provide forwarding of data packets within a corresponding one of a plurality of virtual private networks (vpns) accessible via the service gateway;
maintaining respective subscriber sessions for a plurality of subscribers coupled to the service gateway via respective subscriber interfaces, each subscriber session involving the forwarding of data packets between a corresponding subscriber and a corresponding vpn by action of a corresponding forwarding component, the association between the subscribers and the forwarding components being independent of the subscriber interfaces such that the respective subscriber sessions of those subscribers reachable via a given interface are associable with respective different ones of the forwarding components; and
upon detecting an event indicating that a subscriber session is to be transferred from a first vpn to a second vpn, (1) modifying the respective forwarding components of the first and second vpns to reflect that the subscriber session is active in the second vpn and is not active in the first vpn, and (2) effecting a change of a network address identifying the corresponding subscriber from a first network address defined in the first vpn to a second network address defined in the second vpn,
wherein effecting the change of the network address comprises exercising a mechanism for dynamically causing the subscriber whose session is to be transferred to change the network address the subscriber utilizes in data communications packets to the second network address,
and wherein the subscriber session is an ip session initially associated with the first network address, the first network address having been provided by a preceding dynamic host control protocol (dhcp) process, and wherein effecting the change of the network address comprises (1) rejecting a dhcp renewal request from the subscriber attempting to renew a lease on the first network address, and (2) responding to a subsequent dhcp discovery request from the subscriber by providing the second network address to the subscriber for subsequent use in the data packets exchanged between the subscriber and the second vpn.
9. A service gateway for providing subscriber access to multiple virtual private networks (vpns), comprising:
means for interfacing with a plurality of subscribers and with the vpns, the subscribers being coupled to the service gateway via respective subscriber interfaces;
means for forwarding packets from ingress ports to egress ports of the interfacing means;
means for maintaining a plurality of forwarding components, each forwarding component being operative to provide forwarding of data packets within a corresponding one of a plurality of virtual private networks (vpns) accessible via the service gateway;
means for maintaining respective subscriber sessions for the plurality of subscribers, each subscriber session involving the forwarding of data packets between a corresponding subscriber and a corresponding vpn by action of a corresponding forwarding component, the association between the subscribers and the forwarding components being independent of the subscriber interfaces such that the respective subscriber sessions of those subscribers reachable via a given interface are associable with respective different ones of the forwarding components; and
means, operative upon detecting an event indicating that a subscriber session is to be transferred from a first vpn to a second vpn, for (1) modifying the respective forwarding components of the first and second vpns to reflect that the subscriber session is active in the second vpn and is not active in the first vpn, and (2) effecting a change of a network address identifying the corresponding subscriber from a first network address defined in the first vpn to a second network address defined in the second vpn,
wherein the means for effecting the change of the network address includes means for exercising a mechanism for dynamically causing the subscriber whose session is to be transferred to change the network address the subscriber utilizes in data communications packets to the second network address,
and wherein the subscriber session is an ip session initially associated with the first network address, the first network address having been provided by a preceding dynamic host control protocol (dhcp) process, and wherein the means for effecting the change of the network address comprises means for (1) rejecting a dhcp renewal request from the subscriber attempting to renew a lease on the first network address, and (2) responding to a subsequent dhcp discovery request from the subscriber by providing the second network address to the subscriber for subsequent use in the data packets exchanged between the subscriber and the second vpn.
5. A service gateway for providing subscriber access to multiple virtual private networks (vpns), comprising:
a plurality of port adapters for interfacing with subscribers and with the vpns, the subscribers being coupled to the service gateway via respective subscriber interfaces;
a switch fabric operative to forward packets from ingress ports to egress ports of the port adapters; and
a processor operative to:
maintain a plurality of forwarding components, each forwarding component being operative to provide forwarding of data packets within a corresponding one of a plurality of virtual private networks (vpns) accessible via the service gateway;
maintain respective subscriber sessions for a plurality of subscribers coupled to the service gateway via the respective subscriber interfaces, each subscriber session involving the forwarding of data packets between a corresponding subscriber and a corresponding vpn by action of a corresponding forwarding component, the association between the subscribers and the forwarding components being independent of the subscriber interfaces such that the respective subscriber sessions of those subscribers reachable via a given interface are associable with respective different ones of the forwarding components; and
upon detecting an event indicating that a subscriber session is to be transferred from a first vpn to a second vpn, (1) modify the respective forwarding components of the first and second vpns to reflect that the subscriber session is active in the second vpn and is not active in the first vpn, and (2) effect a change of a network address identifying the corresponding subscriber from a first network address defined in the first vpn to a second network address defined in the second vpn,
wherein the processor is operative when effecting the change of the network address to exercise a mechanism for dynamically causing the subscriber whose session is to be transferred to change the network address the subscriber utilizes in data communications packets to the second network address,
and wherein the subscriber session is an ip session initially associated with the first network address, the first network address having been provided by a preceding dynamic host control protocol (dhcp) process, and wherein the processor is operative when effecting the change of the network address to (1) reject a dhcp renewal request from the subscriber attempting to renew a lease on the first network address, and (2) respond to a subsequent dhcp discovery request from the subscriber by providing the second network address to the subscriber for subsequent use in the data packets exchanged between the subscriber and the second vpn.
2. The method according to
during an initial interim period in which the subscriber attempts to exchange subscriber data packets with the second vpn using the first network address, applying network address translation (NAT) that maps the first network address in data packets exchanged with the subscriber to the second network address in data packets exchanged with the second vpn; and
upon responding to the subsequent dhcp discovery request from the subscriber,
subsequently permitting direct, non-NAT exchange of future data packets between the subscriber and the second vpn.
3. The method according to
4. The method according to
6. The service gateway according to
during an initial interim period in which the subscriber attempts to exchange subscriber data packets with the second vpn using the first network address, apply network address translation (NAT) that maps the first network address in data packets exchanged with the subscriber to the second network address in data packets exchanged with the second vpn; and
upon responding to the subsequent dhcp discovery request from the subscriber,
subsequently permit direct, non-NAT exchange of future data packets between the subscriber and the second vpn.
7. The service gateway according to
8. The service gateway according to
|
The present invention is related to the field of data communications networks.
It is known to use network devices such as routers, switches and bridges to forward data packets within data communications networks. A router is an example of a device operating at the network layer, or layer 3 of the well-known Open Systems Interconnect (OSI) model. Bridges and switches are examples of layer-2 devices.
It is known to define so-called “virtual private networks” or VPNs within larger (often public) networks such as the global Internet. A VPN can be seen as a collection of specialized network devices and/or specialized functions on otherwise standard network devices that co-operate to carry out data communications in a manner that segregates such communications from other data communications carried by the larger network. There are a variety of known VPN technologies, including technologies based on the Internet Protocol (IP), virtual local area network (VLAN) technologies, and virtual private dial-up networks (VPDNs). Routers may offer support for layer-3 VPNs through the use of multiple so-called “virtual routing and forwarding” tables or VRFs. The VRFs correspond to multiple independent “virtual routers” within a physical router, with each virtual router operating as a node on a corresponding VPN. VLANs generally employ bridging or switching instances located within network devices.
Example embodiments of the present invention are described with reference to the accompanying drawings, in which:
VPN technologies are being used to expand virtual-private-networking closer to the initial network access point for subscribers. Data service providers that in the past have operated relatively centralized networks with dial-in access for subscribers are now pushing their networks closer to subscribers, who in turn are making greater use of Ethernet connectivity which lends itself to integration in VPNs more naturally than does conventional dial-up technology. Additionally, in some areas it is required that so-called “network access providers” (also referred to as “access providers” or APs) that have direct physical connections with subscribers provide subscriber access to other service providers. A further factor shaping the operations of edge devices such as edge routers is the lack of native identification and authentication functions within the Internet Protocol (IP). APs may provide networks dedicated for these and related functions that are performed upon initial subscriber interaction, before the subscriber actually begins utilizing a desired service that is delivered via a corresponding VPN. Thus, there is a need for edge devices capable of managing the involvement of subscribers with multiple VPNs.
A service gateway is disclosed that provides VPN support in the form of multiple independent forwarding components, as well as having functions for adding subscribers to forwarding components and transferring subscribers among forwarding components in a seamless manner.
The disclosed service gateway maintains multiple forwarding components, each forwarding component being operative to provide forwarding of data packets within a corresponding VPN accessible via the service gateway. The service gateway also maintains respective subscriber sessions for a plurality of subscribers coupled to the service gateway via respective subscriber interfaces, wherein each subscriber session involves the forwarding of data packets between a corresponding subscriber and a corresponding VPN by action of a corresponding forwarding component. The association between the subscribers and the forwarding components is independent of the subscriber interfaces such that the respective subscriber sessions of those subscribers reachable via a given interface are associable (i.e. can be associated) with respective different ones of the forwarding components.
Upon detecting an event indicating that a subscriber session is to be transferred from a first VPN to a second VPN, the service gateway modifies the respective forwarding components of the first and second VPNs to reflect that the subscriber session is active in the second VPN and is not active in the first VPN. The service gateway also effects a change of a network address that identifies the corresponding subscriber from a first network address defined in the first VPN to a second network address defined in the second VPN. Several mechanisms for effecting such a change of network address are described.
In one embodiment, the above operations are carried out as part of a transfer of the subscriber from an initial service and to another service selected by the subscriber. The initial service may provide authentication, authorization and accounting operations in relation to the subscriber's session, whereas the new service may be an Internet browsing session in which the subscriber finds and accesses desired information, for example. The service gateway may also need to provide a new network address (e.g., Internet Protocol (IP) address) for identifying the subscriber in data packets exchanged between the subscriber and the selected VPN.
In the system of
The AP network 16 is often operated by a telecommunications service provider or “carrier” that provides subscribers 10 physical access to a wide-area communications system or network. In the US, examples of such access providers include cable companies such as Comcast and telephone companies such as Verizon. In addition to providing the physical network connectivity, these access providers often provide Internet service and/or other data services, which may or may not be on a subscription basis. In the present description, the AP network 16 is also referred to as the “local” network. The SP networks 28 are assumed to be layer-2 or layer-3 networks that the subscribers 10 desire to have access to even though they do not have direct physical connectivity to them. Examples of such SP networks 28 include America Online (AOL) and Earthlink. In some areas of the world, it is legally mandated that AP networks 16 provide for access to third-party SP networks 28, to foster competition in the market for Internet/data services.
The service gateway 18 incorporates the functionality of layer-2 forwarding and/or layer-3 routing as well as higher-level functions as described herein. In connection with these higher-level functions, the service gateway 18 interacts with the various servers 20-26 of the AP network 16 (and/or similar servers of the SP network(s) 28 as described below). The AAA server 20 is used as part of managing the subscribers 10 as customers, including such functions as confirming subscriber identity and tracking subscriber usage for billing purposes. The policy server 22 oversees the dynamic aspect of the configuration by acting as a policy decision point with the ability to push new configuration to enforcement points such as the service gateway 18. Examples are given below. The web portal 24 serves as a point of interaction for the subscribers 10 when they initiate a session. The DHCP server 26 is used for dynamic assignment of network addresses (e.g. IP addresses) and other configuration information to DHCP clients among the subscribers 10. One or more of the AAA, policy server, web portal, and DHCP functions may be incorporated within the service gateway itself 18 in alternative embodiments. With respect to the DHCP function, it may be desirable to employ multiple DHCP servers in an alternative embodiment, with each DHCP server being associated with a different SP network 28 for example.
As noted, one or more of the SP networks 28 may include its own set of servers such as AAA servers, policy servers, DHCP servers and web portals for use by subscribers specifically associated with such SP networks 28. The servers 20-26 within the AP network 16 can be seen as being shared among multiple service providers, especially among those SP networks 28 not having their own set of such servers.
Alternative embodiments of the service gateway 18 may employ different specific hardware configurations. For example, the functions ascribed to the route processor 38 may be performed by one or more processors, which may be centralized or may be distributed among different hardware elements. Both the route processor 38 and such alternative processor arrangements are included within the general term “processor” utilized herein. Also, in an alternative embodiment, the PAs 32 may omit the specialized forwarding engines mentioned above.
Each forwarding component 40, 42 maintains a respective forwarding database for the associated network 16 or 28. There may also be an associated forwarding table derived from the forwarding database and utilized by the port adapters 32 in forwarding packets from ingress ports to egress ports of the service gateway 18. In general, the different forwarding components 40, 42 are entirely distinct from each other, as are the networks 16 and 28. There may be some overlap of entry information where there is corresponding overlap among the networks 16, 28, such as for routers or other devices that carry traffic crossing between different networks 16, 28. It will be appreciated that the AP NW forwarding component 40 may have much more limited functionality than the SP NW forwarding components 42, due to its more limited role as part of initial subscriber access to the system. Indeed, in an alternative embodiment there may be no need for an explicit AP NW forwarding component 40.
In step 50, the VPN selection and transfer logic 44 maintains respective subscriber sessions for a plurality of subscribers coupled to the service gateway via respective subscriber interfaces. Each subscriber session involves the forwarding of data packets between a corresponding subscriber and a corresponding VPN by action of a corresponding forwarding component. The association between the subscribers and the forwarding components is independent of the subscriber interfaces, such that the subscriber sessions of those subscribers reachable via a given subscriber interface may be associated with respective different ones of the forwarding components.
In step 52, upon detecting an event indicating that a subscriber session is to be transferred from a first VPN to a second VPN, the VPN selection and transfer logic 44 modifies the respective forwarding components of the first and second VPNs to reflect that the subscriber session is active in the second VPN and is not active in the first VPN, and may also effect a change of a network address identifying the corresponding subscriber from a first network address defined in the first VPN to a second network address defined in the second VPN. The event in step 52 may take the form, for example, of a subscriber's selection of a new service (e.g., at the web portal 24), a control policy action, or termination of a network service (e.g. due to prepaid credit exhaustion or the detection of improper service usage). Upon completion of the transfer, subscriber traffic is routed using an SP NW forwarding component 42 associated with the selected SP network 28 (e.g., SP NW forwarding component 42-2). Specific examples are described below.
It should be noted that although step 52 refers to the transfer of a subscriber from a first VPN to a second VPN, there is normally a preceding time at which the subscriber is placed in an initial VPN. The action is similar to a transfer insofar as it includes adding the subscriber to a VPN and allocating or assigning a network address. This initial subscriber placement may occur, for example, by detection of a request from a subscriber to establish a point-to-point protocol (PPP) session, or a DHCP discovery request. More generally, the first interaction may be in the form of a control message from the subscriber, if a control protocol is employed, or the receipt of a first data message from the subscriber if no session has previously been established.
The VPN selection and transfer logic 44 may obtain and apply control policies for an initial service provided to the subscriber (e.g., in the situation depicted in
Upon completion of step 52 of
With respect to assigning a new network address in step 52 of the process of
As an example in the case of PPP sessions, it may be possible to re-negotiate the subscriber session parameters (which include the IP address) using the Internet Protocol Control Protocol (IPCP). The VPN selection and transfer logic 44 may be configured with a pool of allocable IP addresses for each of the SP networks 28, for example. After allocating a new IP address, the VPN selection and transfer logic 44 engages in an IPCP exchange with the subscriber 10 to cause the subscriber to begin using the new IP address rather than the initial IP address originally established for the PPP session.
Alternatively, when the subscriber utilizes a statically assigned IP address with the PPP session (and thus the address cannot re re-negotiated using IPCP as above), the VPN selection and transfer logic 44 may establish a NAT mapping to translate between the subscriber's fixed IP address and the IP address that has been allocated to identify the subscriber in the selected network 28. This NAT mapping is applied between the subscriber interface and the forwarding component 42, in a manner similar to that described below for an IP session.
Another example is an IP session. Where a subscriber 10 employs DHCP to obtain an IP address, it may be desirable to provide a short lease time on the initial address used in the context of an initial service. After the subscriber has selected another service, the next DHCP renewal request from the subscriber is rejected, causing the subscriber to re-initiate DHCP discovery. At that point, the VPN selection and transfer logic 44 can provide the subscriber with the new IP address that is routable in the selected network. It is noted that there will be a period between service selection and the expiration of the lease for the initial IP address during which the subscriber will not yet be able to access the selected SP network 28. The duration of this period can be minimized by using very short lease periods where possible. Also, the service gateway 18 may issue a DHCP FORCE RENEW message to the subscriber 10 to force the subscriber 10 to immediately renew its address lease rather than waiting until the normal renewal time. Either in addition to or in lieu of such measures, network address translation (NAT) can be employed on an interim basis during this period in order to permit the subscriber to access the selected SP network 28 immediately. The use of interim NAT is described more fully below.
Where the service gateway 18 cannot provide a new IP address to the subscriber, such as for example when the subscriber is configured with a static IP address, then the VPN selection and transfer logic 44 may employ a mechanism such as NAT to effectively change the IP address utilized for subscriber traffic within the selected SP network 28. A pair of NAT entries for the subscriber are created in a NAT data structure, one for packets flowing in each direction. For packets flowing from the subscriber 10 to the SP network 28, the source address is replaced with the new IP address allocated for use by the subscriber in the SP network. After this replacement, packets are forwarded according to the forwarding entries for the forwarding component 42 of the selected SP network 28. Packets flowing in the opposite direction are handled in essentially reverse fashion—first directed to the NAT by action of the forwarding component 42, and then forwarded on to the subscriber 10 with replacement of the destination address with the subscriber's IP address obtained from the NAT. Thus, NAT maps the initial network address in data packets exchanged between the service gateway 18 and the subscriber to the new network address in data packets exchanged between the service gateway 18 and the selected layer-3 network.
A third alternative to effect the change of IP address for IP sessions employs a combination of NAT and DHCP. It is assumed that the subscriber initially obtains an IP address using DHCP. At the time that the new service is selected and the subscriber is transferred to the new forwarding component, the VPN selection and transfer logic 44 acts as a DHCP proxy for the subscriber and obtains the new IP address. It then creates a pair of NAT entries in the same manner described above, and handles the subscriber traffic using NAT until the subscriber attempts to renew its IP address using DHCP. At that point, the VPN selection and transfer logic 44 rejects the renewal request and, when the subscriber re-initiates DHCP discovery, provides the subscriber with the newly obtained IP address for the selected SP network 28. At that point, the NAT entries are deleted, and subsequent subscriber traffic is forwarded directly (i.e., without NAT) according to the contents of the forwarding component 42.
It should also be noted that it may not be necessary or possible to effect a change of the subscriber's network address, and thus in some cases no such change is made. One such situation is when the subscriber's network address is public and routable in both the current and new VPNs. Alternatively, the subscriber session may be a layer 2 session and thus the service gateway 18 is not aware of the subscriber's network address.
While this invention has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Pruss, Richard Manfred, Haag, Jeffrey David, Kotha, Murty Subba Rama Chandra, Gagne, Francois, King, Matthew Lawrence
Patent | Priority | Assignee | Title |
11075877, | Jan 11 2019 | WELLS FARGO TRUST COMPANY, N A | System and method for remotely filtering network traffic of a customer premise device |
11641341, | Jan 11 2019 | Charter Communications Operating, LLC | System and method for remotely filtering network traffic of a customer premise device |
8855012, | Mar 18 2011 | Mojyle LLC | Mobile, secure and customizable emergency service gateway system |
9356908, | Dec 19 2012 | Hewlett Packard Enterprise Development LP | Method and system for causing a client device to renew a dynamic IP address |
Patent | Priority | Assignee | Title |
6687245, | Apr 03 2001 | RPX Corporation | System and method for performing IP telephony |
6952428, | Jan 26 2001 | VALTRUS INNOVATIONS LIMITED | System and method for a specialized dynamic host configuration protocol proxy in a data-over-cable network |
7055171, | May 31 2000 | HEWLETT-PACKARD DEVELOPMENT COMPANY L P | Highly secure computer system architecture for a heterogeneous client environment |
7337224, | Oct 24 2002 | Cisco Technology, Inc. | Method and apparatus providing policy-based determination of network addresses |
20030054810, | |||
20030061321, | |||
20030088698, | |||
20030182363, | |||
20040218611, | |||
20050165953, | |||
20060013209, | |||
20070113275, | |||
20070143486, | |||
20080037559, | |||
20090285218, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Nov 21 2006 | HAAG, JEFFREY DAVID | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018715 | /0659 | |
Nov 24 2006 | GAGNE, FRANCOIS | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018715 | /0659 | |
Nov 27 2006 | KOTHA, MURTY SUBBA RAMA CHANDRA | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018715 | /0659 | |
Nov 27 2006 | KING, MATTHEW LAWRENCE | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018715 | /0659 | |
Dec 02 2006 | PRUSS, RICHARD MANFRED | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018715 | /0659 | |
Dec 14 2006 | Cisco Technology, Inc. | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Jun 08 2015 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Jun 06 2019 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Jul 24 2023 | REM: Maintenance Fee Reminder Mailed. |
Jan 08 2024 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Dec 06 2014 | 4 years fee payment window open |
Jun 06 2015 | 6 months grace period start (w surcharge) |
Dec 06 2015 | patent expiry (for year 4) |
Dec 06 2017 | 2 years to revive unintentionally abandoned end. (for year 4) |
Dec 06 2018 | 8 years fee payment window open |
Jun 06 2019 | 6 months grace period start (w surcharge) |
Dec 06 2019 | patent expiry (for year 8) |
Dec 06 2021 | 2 years to revive unintentionally abandoned end. (for year 8) |
Dec 06 2022 | 12 years fee payment window open |
Jun 06 2023 | 6 months grace period start (w surcharge) |
Dec 06 2023 | patent expiry (for year 12) |
Dec 06 2025 | 2 years to revive unintentionally abandoned end. (for year 12) |